Extract options

Default: The value specified in the CLEAN_KEYS in the transforms.conf file.

kvdelim

Syntax: kvdelim=<string>

Description: A list of character delimiters that separate the key from the value.

limit

Syntax: limit=<int>

Description: Specifies how many automatic key-value pairs to extract.

Default: 50

maxchars

Syntax: maxchars=<int>

Description: Specifies how many characters to look into the event.

Default: 10240

mv_add

Syntax: mv_add=<bool>

Description: Specifies whether to create multivalued fields. Overrides the value for the MV_ADD parameter in the transforms.conf file.

Default: false

pairdelim

Syntax: pair=<string>

Description: A list of character delimiters that separate the key-value pairs from each other.

reload

Syntax: reload=<bool>

Description: Specifies whether to force reloading of the props.conf and transforms.conf files.

Default: false

segment

Syntax: segment=<bool>

Description: Specifies whether to note the locations of the key-value pairs with the results.

Default: false

Usage

Alias

The alias for the extract command is kv.

Examples

Example 1:

Extract field-value pairs that are delimited by the pipe or semicolon characters ( |; ). Extract values of the fields that are delimited by the equal or colon characters ( =: ). The delimiters are individual characters. In this example the "=" or ":" character is used to delimit the key value. Similarly, a "|" or ";" is used to delimit the field-value pair itself.

... | extract pairdelim="|;", kvdelim="=:"

Example 2:

Extract field-value pairs and reload field extraction settings from disk.

... | extract reload=true

Example 3:

Extract field-value pairs that are defined in the stanza 'access-extractions' in the transforms.conf file.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.